1. Field of the Invention
The present invention relates generally to defending computer systems from malicious attacks. More specifically, the present invention relates to preventing unauthorized or unverified applications from infecting computing devices with malware.
2. Description of the Related Art
Current approaches to preventing malware from infecting a computing device may involve examining the operating behavior of the device. One way of tracking the behavior of a computer is utilizing a so-called “application emulator” program. Application emulator programs are used to measure and observe how a computer or any type of computing device operates or behaves when executing an application and detects potential malware through these measurements and observations. These emulator programs (“emulators”) enable emulation of an operating environment, creating a so-called “sandbox” area in which certain application programs can execute. By operating or executing in this sandbox, the applications are prevented from harming components of the computer—such as mass storage components and processors—or from corrupting data on the computer, in the event that the applications are malicious, unpredictable, or harmful in any manner.
One specific type of emulator that is often used for tracking behavior for malware detection is an API-proxy-based application emulator. This kind of emulator allows application programs that are operating in the sandbox to have full access to the computer's persistent storage component, such as a hard disk. For example, the emulator intercepts system calls made by an application and re-directs certain ones, such as API (application programming interface) requests, to modules in the operating system. As noted, the emulator can monitor the behavior of an application by virtue of the application running in the emulated environment (the application is also said to be running on a “virtual CPU”). All or most system calls go through an API-adaptor in the emulator, which enables monitoring of API call sequences to the operating system.
However, as a consequence, the hard disk or other primary persistent storage component becomes vulnerable when the API-adaptor redirects API calls to the operating system. For example, file input/output (I/O) operations are able to go directly to the hard disk. By allowing file I/O commands coming from a potentially harmful application executing in an emulator environment to access the hard disk, data stored on the disk is in danger of being corrupted or infected. This type of damage is sometimes referred to as out-of-box damage (the “box” referring to the sandbox discussed above).
Another way data in a hard disk may be infected or corrupted arises from the disabling or unavailability of so-called anti-virus “in-the-cloud” services normally utilized by the computer. As a software distribution model in which security services are hosted by vendors and made available to customers over the Internet, such services have been advocated as a next generation model for virus detection.
This approach to defending computers against malware employs a set of “cloud” (i.e., Internet) servers which analyze and correlate new attacks and generate vaccinations online. With this infrastructure, in-the-cloud services can sharply reduce the computing burden on client computers, and can make security products more effective in stopping new malware. Furthermore, customers do not need to install a full copy of the virus signature file, and need only keep a small set of “cloud signatures” and, in some cases, an in-the-cloud scan engine software module or agent. The benefits include easy deployment, lost cost of operation, and fast signature updating.
However, an anti-virus “in-the-cloud” service may become ineffective or disabled under certain circumstances. For example, a network connection may be lost if there are denial-of-service attacks on the “cloud” servers. In another scenario, the client computer may go offline, in which case the in-the-cloud service becomes inaccessible. When the in-the-cloud service is not available, the client computer currently has few options for protecting itself against malware. And when not protected, the hard disk is at risk of being corrupted. One option is using quarantine technology to prevent the computer user from accessing any potentially dangerous files or applications, for example, applications that are downloaded or copied from unauthorized sources, such as portable devices (e.g., digital cameras, cell phones, media players).
However, quarantine technology is generally not a practical solution because often a user is blocked from accessing many safe and conventional applications stored on the hard disk, including those that the user accesses frequently during normal use. Many such applications may be quarantined on the hard disk and, thus, inaccessible to the user. This approach may significantly hamper use of the computer and frustrate the user. A blanket quarantine approach which places any and all files or applications from unknown or unauthorized sources is likely to have many “false-positives.” That is, many applications that are safe and are used by the user regularly may be quarantined and inaccessible.
Thus, it would be desirable to implement an emulator that cannot corrupt a hard disk. It would be further desirable to have an effective anti-virus capability for a computer when the computer is temporarily unable to access in-the-cloud anti-virus services and that at the same time will not significantly hamper normal use of the computer.